IAM customer managed policies should enforce Bedrock Guardrails at runtime invocation
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
This control checks whether your IAM policies for Bedrock invocation actions require Bedrock Guardrails to be attached. Without this requirement, callers can bypass Bedrock Guardrails at runtime.
The control fails if the policy allows any of the following actions without a condition requiring a Guardrail:
bedrock:InvokeModelbedrock:InvokeModelWithResponseStreambedrock:Conversebedrock:InvokeAgentbedrock:**
The control specifically verifies the presence of guardrail conditions, such as GuardrailIdentifier, ensuring that protective measures are in place.
See the IAM JSON Policy Elements: Condition and Editing inline policies documentation for guidance on modifying policies to include necessary guardrail conditions.
